Office 365 Account Takeover
Description
Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Email, Risk
- Last Updated: 2023-10-17
- Author: Mauricio Velazco, Patrick Bareiss, Splunk
- ID: 7dcea963-af44-4db7-a5b9-fd2b543d9bc9
Narrative
Office 365 (O365) is Microsoft’s cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365’s centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The “Office 365 Account Takeover” analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.
Detections
Reference
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://attack.mitre.org/tactics/TA0001/
- https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
- https://www.alteredsecurity.com/post/introduction-to-365-stealer
- https://github.com/AlteredSecurity/365-Stealer
source | version: 1